From: Dr. David von Oheimb Date: Sat, 7 Oct 2023 16:14:05 +0000 (+0200) Subject: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify various cert list parameters X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b235c756f1053a79a837e2bd772eda5a059888ae;p=thirdparty%2Fopenssl.git crypto/{CMS,PKCS7,OCSP,TS,X509}: constify various cert list parameters Reviewed-by: Dmitry Belyavskiy Reviewed-by: Frederik Wedel-Heinen (Merged from https://github.com/openssl/openssl/pull/22304) --- diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 07475d6a435..274336189bd 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -945,7 +945,7 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, X509 *cert, const EVP_PKEY *pkey, const X509 *encryption_recip, - STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, + const STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors); OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index c72a7e09cd9..4157b341c0f 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -504,7 +504,7 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, X509 *cert, const EVP_PKEY *pkey, const X509 *encryption_recip, - STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, + const STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors) { OSSL_CMP_MSG *msg = NULL; diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 2fd66e08ac0..040c8ea22e3 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -871,7 +871,7 @@ int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert) return ossl_cms_SignerIdentifier_cert_cmp(si->sid, cert); } -int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts, +int CMS_set1_signers_certs(CMS_ContentInfo *cms, const STACK_OF(X509) *scerts, unsigned int flags) { CMS_SignedData *sd; @@ -1489,8 +1489,9 @@ err: } BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data, - STACK_OF(X509) *scerts, X509_STORE *store, - STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls, + const STACK_OF(X509) *scerts, X509_STORE *store, + const STACK_OF(X509) *extra, + const STACK_OF(X509_CRL) *crls, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq) { diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index fe631b27a20..e8585ce541f 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -302,7 +302,7 @@ err: } /* This strongly overlaps with PKCS7_verify() */ -int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, +int CMS_verify(CMS_ContentInfo *cms, const STACK_OF(X509) *certs, X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags) { CMS_SignerInfo *si; @@ -494,7 +494,7 @@ err2: } int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, - STACK_OF(X509) *certs, + const STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags) { int r; @@ -507,7 +507,7 @@ int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, } CMS_ContentInfo *CMS_sign_ex(X509 *signcert, EVP_PKEY *pkey, - STACK_OF(X509) *certs, BIO *data, + const STACK_OF(X509) *certs, BIO *data, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq) { @@ -554,15 +554,15 @@ err: return NULL; } -CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, - BIO *data, unsigned int flags) +CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, + const STACK_OF(X509) *certs, BIO *data, unsigned int flags) { return CMS_sign_ex(signcert, pkey, certs, data, flags, NULL, NULL); } CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, EVP_PKEY *pkey, - STACK_OF(X509) *certs, unsigned int flags) + const STACK_OF(X509) *certs, unsigned int flags) { CMS_SignerInfo *rct_si; CMS_ContentInfo *cms = NULL; @@ -632,7 +632,7 @@ err: return NULL; } -CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *data, +CMS_ContentInfo *CMS_encrypt_ex(const STACK_OF(X509) *certs, BIO *data, const EVP_CIPHER *cipher, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq) { @@ -669,7 +669,7 @@ err: return NULL; } -CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *data, +CMS_ContentInfo *CMS_encrypt(const STACK_OF(X509) *certs, BIO *data, const EVP_CIPHER *cipher, unsigned int flags) { return CMS_encrypt_ex(certs, data, cipher, flags, NULL, NULL); diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index a4f954f9a4f..4c20509214f 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -71,7 +71,7 @@ int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags) + const STACK_OF(X509) *certs, unsigned long flags) { if (!OCSP_request_set1_name(req, X509_get_subject_name(signer))) goto err; diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index 56276ad6017..6799aa84c86 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -164,7 +164,7 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) */ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx, - STACK_OF(X509) *certs, unsigned long flags) + const STACK_OF(X509) *certs, unsigned long flags) { OCSP_RESPID *rid; EVP_PKEY *pkey; @@ -211,7 +211,7 @@ err: int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags) + const STACK_OF(X509) *certs, unsigned long flags) { EVP_MD_CTX *ctx = EVP_MD_CTX_new(); EVP_PKEY_CTX *pkctx = NULL; diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 3b6b1fe052b..e1faf29e080 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -14,8 +14,8 @@ #include "ocsp_local.h" static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, - STACK_OF(X509) *certs, unsigned long flags); -static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); + const STACK_OF(X509) *certs, unsigned long flags); +static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id); static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret); @@ -23,7 +23,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp); static int ocsp_check_delegated(X509 *x); static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, - const X509_NAME *nm, STACK_OF(X509) *certs, + const X509_NAME *nm, const STACK_OF(X509) *certs, unsigned long flags); /* Returns 1 on success, 0 on failure, or -1 on fatal error */ @@ -95,7 +95,7 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs, } /* Verify a basic response message */ -int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, +int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer, *x; @@ -160,13 +160,13 @@ end: } int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, - STACK_OF(X509) *extra_certs) + const STACK_OF(X509) *extra_certs) { return ocsp_find_signer(signer, bs, extra_certs, 0) > 0; } static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, - STACK_OF(X509) *certs, unsigned long flags) + const STACK_OF(X509) *certs, unsigned long flags) { X509 *signer; OCSP_RESPID *rid = &bs->tbsResponseData.responderId; @@ -185,7 +185,7 @@ static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, return 0; } -static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) +static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id) { int i, r; unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; @@ -380,7 +380,7 @@ static int ocsp_check_delegated(X509 *x) * Just find the signer's certificate and verify it against a given trust value. * Returns 1 on success, 0 on failure and on fatal error. */ -int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, +int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags) { X509 *signer; @@ -417,7 +417,7 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, } static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, - const X509_NAME *nm, STACK_OF(X509) *certs, + const X509_NAME *nm, const STACK_OF(X509) *certs, unsigned long flags) { X509 *signer; diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 97f20058979..c5604864cea 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -20,9 +20,8 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si); -PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, - BIO *data, int flags, OSSL_LIB_CTX *libctx, - const char *propq) +PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs, + BIO *data, int flags, OSSL_LIB_CTX *libctx, const char *propq) { PKCS7 *p7; int i; @@ -64,7 +63,7 @@ err: return NULL; } -PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, +PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs, BIO *data, int flags) { return PKCS7_sign_ex(signcert, pkey, certs, data, flags, NULL, NULL); @@ -208,7 +207,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si) } /* This strongly overlaps with CMS_verify(), partly with PKCS7_dataVerify() */ -int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, +int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags) { STACK_OF(X509) *signers; @@ -360,8 +359,7 @@ err: return ret; } -STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, - int flags) +STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int flags) { STACK_OF(X509) *signers, *included_certs; STACK_OF(PKCS7_SIGNER_INFO) *sinfos; @@ -421,7 +419,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, /* Build a complete PKCS#7 enveloped data */ -PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in, +PKCS7 *PKCS7_encrypt_ex(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags, OSSL_LIB_CTX *libctx, const char *propq) { @@ -463,8 +461,7 @@ err: return NULL; } -PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, - int flags) +PKCS7 *PKCS7_encrypt(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags) { return PKCS7_encrypt_ex(certs, in, cipher, flags, NULL, NULL); } diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 40dab687d1c..e03c9553db8 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -84,7 +84,7 @@ static const struct { * - Verify the signature value. * - Returns the signer certificate in 'signer', if 'signer' is not NULL. */ -int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, +int TS_RESP_verify_signature(PKCS7 *token, const STACK_OF(X509) *certs, X509_STORE *store, X509 **signer_out) { STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL; diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 6d9848d234e..c915fa4d84d 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -225,7 +225,7 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags) return 1; } -int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags) +int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags) /* compiler would allow 'const' for the certs, yet they may get up-ref'ed */ { if (sk == NULL) { @@ -235,8 +235,7 @@ int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags) return ossl_x509_add_certs_new(&sk, certs, flags); } -int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs, - int flags) +int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, const STACK_OF(X509) *certs, int flags) /* compiler would allow 'const' for the certs, yet they may get up-ref'ed */ { int n = sk_X509_num(certs /* may be NULL */); @@ -342,7 +341,7 @@ end: #endif /* Search a stack of X509 for a match */ -X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name, +X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name, const ASN1_INTEGER *serial) { int i; @@ -362,7 +361,7 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name, return NULL; } -X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name) +X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name) { X509 *x509; int i; diff --git a/doc/man3/CMS_encrypt.pod b/doc/man3/CMS_encrypt.pod index bccf7fe432d..1eaa17bef0a 100644 --- a/doc/man3/CMS_encrypt.pod +++ b/doc/man3/CMS_encrypt.pod @@ -8,10 +8,10 @@ CMS_encrypt_ex, CMS_encrypt - create a CMS envelopedData structure #include - CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *in, + CMS_ContentInfo *CMS_encrypt_ex(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq); - CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, + CMS_ContentInfo *CMS_encrypt(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags); =head1 DESCRIPTION diff --git a/doc/man3/CMS_sign_receipt.pod b/doc/man3/CMS_sign_receipt.pod index 2d3542a9910..ba8a8e84aa0 100644 --- a/doc/man3/CMS_sign_receipt.pod +++ b/doc/man3/CMS_sign_receipt.pod @@ -9,7 +9,7 @@ CMS_sign_receipt - create a CMS signed receipt #include CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, - EVP_PKEY *pkey, STACK_OF(X509) *certs, + EVP_PKEY *pkey, const STACK_OF(X509) *certs, unsigned int flags); =head1 DESCRIPTION diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod index bef4858c918..dab318fc7fc 100644 --- a/doc/man3/CMS_verify.pod +++ b/doc/man3/CMS_verify.pod @@ -10,11 +10,13 @@ CMS_SignerInfo_verify_content, CMS_SignerInfo_verify_ex #include - int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store, + int CMS_verify(CMS_ContentInfo *cms, const STACK_OF(X509) *certs, + X509_STORE *store, BIO *detached_data, BIO *out, unsigned int flags); BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data, - STACK_OF(X509) *scerts, X509_STORE *store, - STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls, + const STACK_OF(X509) *scerts, X509_STORE *store, + const STACK_OF(X509) *extra, + const STACK_OF(X509_CRL) *crls, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq); diff --git a/doc/man3/CMS_verify_receipt.pod b/doc/man3/CMS_verify_receipt.pod index bf3019ae72f..414d71d45d8 100644 --- a/doc/man3/CMS_verify_receipt.pod +++ b/doc/man3/CMS_verify_receipt.pod @@ -9,7 +9,7 @@ CMS_verify_receipt - verify a CMS signed receipt #include int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, - STACK_OF(X509) *certs, X509_STORE *store, + const STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags); =head1 DESCRIPTION diff --git a/doc/man3/OCSP_REQUEST_new.pod b/doc/man3/OCSP_REQUEST_new.pod index 3f171e82297..cda2737b14a 100644 --- a/doc/man3/OCSP_REQUEST_new.pod +++ b/doc/man3/OCSP_REQUEST_new.pod @@ -17,7 +17,7 @@ OCSP_request_onereq_get0 - OCSP request functions int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags); + const STACK_OF(X509) *certs, unsigned long flags); int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert); diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod index bc5db708625..2e36a26a88e 100644 --- a/doc/man3/OCSP_resp_find_status.pod +++ b/doc/man3/OCSP_resp_find_status.pod @@ -51,7 +51,7 @@ OCSP_check_validity, OCSP_basic_verify ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); - int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); =head1 DESCRIPTION diff --git a/doc/man3/OCSP_response_status.pod b/doc/man3/OCSP_response_status.pod index 0902ae8a31b..79c742e13e4 100644 --- a/doc/man3/OCSP_response_status.pod +++ b/doc/man3/OCSP_response_status.pod @@ -26,10 +26,10 @@ OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert); int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, - const EVP_MD *dgst, STACK_OF(X509) *certs, + const EVP_MD *dgst, const STACK_OF(X509) *certs, unsigned long flags); int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx, - STACK_OF(X509) *certs, unsigned long flags); + const STACK_OF(X509) *certs, unsigned long flags); =head1 DESCRIPTION diff --git a/doc/man3/PKCS7_encrypt.pod b/doc/man3/PKCS7_encrypt.pod index 79c769a7769..41f56b5d6f4 100644 --- a/doc/man3/PKCS7_encrypt.pod +++ b/doc/man3/PKCS7_encrypt.pod @@ -9,11 +9,11 @@ PKCS7_encrypt_ex, PKCS7_encrypt #include - PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in, + PKCS7 *PKCS7_encrypt_ex(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags, OSSL_LIB_CTX *libctx, const char *propq); - PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, - int flags); + PKCS7 *PKCS7_encrypt(const STACK_OF(X509) *certs, BIO *in, + const EVP_CIPHER *cipher, int flags); =head1 DESCRIPTION diff --git a/doc/man3/PKCS7_sign.pod b/doc/man3/PKCS7_sign.pod index 5c55aa191de..b8f4bb00406 100644 --- a/doc/man3/PKCS7_sign.pod +++ b/doc/man3/PKCS7_sign.pod @@ -9,10 +9,11 @@ PKCS7_sign_ex, PKCS7_sign #include - PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, + PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, + const STACK_OF(X509) *certs, BIO *data, int flags, OSSL_LIB_CTX *libctx, const char *propq); - PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, + PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs, BIO *data, int flags); =head1 DESCRIPTION diff --git a/doc/man3/PKCS7_verify.pod b/doc/man3/PKCS7_verify.pod index b9e1ee30358..3f0a484e627 100644 --- a/doc/man3/PKCS7_verify.pod +++ b/doc/man3/PKCS7_verify.pod @@ -8,10 +8,11 @@ PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure #include - int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, + int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); - STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags); + STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, + int flags); =head1 DESCRIPTION @@ -30,7 +31,7 @@ Otherwise I should be NULL, and then the signed data must be in I. The content is written to the BIO I unless it is NULL. I is an optional set of flags, which can be used to modify the operation. -PKCS7_get0_signers() retrieves the signer's certificates from I, it does +PKCS7_get0_signers() retrieves the signer certificates from I, it does B check their validity or whether any signatures are valid. The I and I parameters have the same meanings as in PKCS7_verify(). diff --git a/doc/man3/X509_add_cert.pod b/doc/man3/X509_add_cert.pod index f59b93ba54d..2b3db780185 100644 --- a/doc/man3/X509_add_cert.pod +++ b/doc/man3/X509_add_cert.pod @@ -11,7 +11,7 @@ X509 certificate list addition functions #include int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags); - int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags); + int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags); =head1 DESCRIPTION diff --git a/include/crypto/x509.h b/include/crypto/x509.h index fd749f1bf38..ff073e24795 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -325,8 +325,7 @@ int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type, void *data, unsigned char *md, unsigned int *len, OSSL_LIB_CTX *libctx, const char *propq); int ossl_x509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags); -int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs, - int flags); +int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, const STACK_OF(X509) *certs, int flags); STACK_OF(X509_ATTRIBUTE) *ossl_x509at_dup(const STACK_OF(X509_ATTRIBUTE) *x); diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in index cf96c712b4c..60633354ed4 100644 --- a/include/openssl/cms.h.in +++ b/include/openssl/cms.h.in @@ -137,16 +137,13 @@ int CMS_final_digest(CMS_ContentInfo *cms, unsigned int flags); CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, - STACK_OF(X509) *certs, BIO *data, - unsigned int flags); + const STACK_OF(X509) *certs, BIO *data, unsigned int flags); CMS_ContentInfo *CMS_sign_ex(X509 *signcert, EVP_PKEY *pkey, - STACK_OF(X509) *certs, BIO *data, - unsigned int flags, OSSL_LIB_CTX *libctx, - const char *propq); + const STACK_OF(X509) *certs, BIO *data, + unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq); -CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, - X509 *signcert, EVP_PKEY *pkey, - STACK_OF(X509) *certs, unsigned int flags); +CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, + EVP_PKEY *pkey, const STACK_OF(X509) *certs, unsigned int flags); int CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags); CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags); @@ -176,18 +173,17 @@ CMS_ContentInfo *CMS_EncryptedData_encrypt_ex(BIO *in, const EVP_CIPHER *cipher, int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph, const unsigned char *key, size_t keylen); -int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, +int CMS_verify(CMS_ContentInfo *cms, const STACK_OF(X509) *certs, X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags); int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, - STACK_OF(X509) *certs, - X509_STORE *store, unsigned int flags); + const STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags); STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms); -CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, +CMS_ContentInfo *CMS_encrypt(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags); -CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *in, +CMS_ContentInfo *CMS_encrypt_ex(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq); @@ -297,7 +293,7 @@ int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno); int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert); -int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *certs, +int CMS_set1_signers_certs(CMS_ContentInfo *cms, const STACK_OF(X509) *certs, unsigned int flags); void CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk, X509 **signer, X509_ALGOR **pdig, @@ -308,8 +304,8 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si); int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain); int CMS_SignerInfo_verify_ex(CMS_SignerInfo *si, BIO *chain, BIO *data); BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data, - STACK_OF(X509) *scerts, X509_STORE *store, - STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls, + const STACK_OF(X509) *scerts, X509_STORE *store, + const STACK_OF(X509) *extra, const STACK_OF(X509_CRL) *crls, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq); diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in index d2cfd9c1163..f2380543ff9 100644 --- a/include/openssl/ocsp.h.in +++ b/include/openssl/ocsp.h.in @@ -224,7 +224,7 @@ int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags); + const STACK_OF(X509) *certs, unsigned long flags); int OCSP_response_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); @@ -233,7 +233,7 @@ const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, - STACK_OF(X509) *extra_certs); + const STACK_OF(X509) *extra_certs); int OCSP_resp_count(OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); @@ -259,7 +259,7 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); -int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, +int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags); #define OCSP_parse_url(url, host, port, path, ssl) \ @@ -285,10 +285,10 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert); int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags); + const STACK_OF(X509) *certs, unsigned long flags); int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx, - STACK_OF(X509) *certs, unsigned long flags); + const STACK_OF(X509) *certs, unsigned long flags); int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert); int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx, const char *propq); @@ -381,7 +381,7 @@ const char *OCSP_crl_reason_str(long s); int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags); int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags); -int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, +int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); #ifdef __cplusplus diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in index 1d57255ae74..02a79c292c7 100644 --- a/include/openssl/pkcs7.h.in +++ b/include/openssl/pkcs7.h.in @@ -319,24 +319,21 @@ int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk); -PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, +PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs, BIO *data, int flags); -PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, - BIO *data, int flags, OSSL_LIB_CTX *libctx, - const char *propq); +PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs, + BIO *data, int flags, OSSL_LIB_CTX *libctx, const char *propq); PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, int flags); int PKCS7_final(PKCS7 *p7, BIO *data, int flags); -int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, +int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); -STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, - int flags); -PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, - int flags); -PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in, +STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int flags); +PKCS7 *PKCS7_encrypt(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags); +PKCS7 *PKCS7_encrypt_ex(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags, OSSL_LIB_CTX *libctx, const char *propq); int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, diff --git a/include/openssl/ts.h b/include/openssl/ts.h index 1d5110b1b78..ace878db6df 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -358,7 +358,7 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio); * they are defined in ts/ts_resp_verify.c. */ -int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, +int TS_RESP_verify_signature(PKCS7 *token, const STACK_OF(X509) *certs, X509_STORE *store, X509 **signer_out); /* Context structure for the generic verify method. */ diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 0ecf8c9049c..ae2e19d6743 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -808,7 +808,7 @@ unsigned long X509_subject_name_hash_old(X509 *x); #define X509_ADD_FLAG_NO_DUP 0x4 #define X509_ADD_FLAG_NO_SS 0x8 int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags); -int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags); +int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags); int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); @@ -1020,9 +1020,9 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key, const unsigned char *bytes, int len); /* lookup a cert from a X509 STACK */ -X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name, +X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name, const ASN1_INTEGER *serial); -X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name); +X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name); DECLARE_ASN1_FUNCTIONS(PBEPARAM) DECLARE_ASN1_FUNCTIONS(PBE2PARAM)